b'INFORMATION SECURITY PROGRAM\n     Department of Transportation\n\n      Report Number: FI\xe2\x80\x932006\xe2\x80\x93002\n      Date Issued: October 7, 2005\n\x0c           U.S. Department of\n                                                  Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Information Security                      Date:    October 7, 2005\n           Program, Department of Transportation\n           Report Number: FI-2006-002\n  From:                                                            Reply to\n                                                                   Attn. of:   JA\xe2\x80\x9320\n           Kenneth M. Mead\n           Inspector General\n    To:    Chief Information Officer\n\n           This report presents the results of our annual audit of the information security\n           program at the Department of Transportation (DOT). In accordance with the\n           Federal Information Security Management Act of 2002 (FISMA), our objective\n           was to determine the effectiveness of DOT\xe2\x80\x99s information security program by\n           measuring progress made in (1) implementing information security requirements\n           since last year, (2) correcting air traffic control system security deficiencies, and\n           (3) enhancing information technology (IT) investment management controls. We\n           also provide input to DOT\xe2\x80\x99s annual FISMA report by answering questions\n           specified by the Office of Management and Budget (OMB). Our input to DOT\xe2\x80\x99s\n           annual FISMA report is in Exhibit A.\n\n           Similar to last year, we tested a representative subset of DOT systems, including\n           contractor-operated or -maintained systems that had undergone systems security\n           certification reviews in order to determine whether DOT had complied with\n           Government standards for (1) assessing system risks, (2) identifying security\n           requirements, (3) testing security controls, and (4) accrediting systems as able to\n           support business operations. We also performed more detailed reviews of the\n           Department\xe2\x80\x99s process for managing remediation of known security weaknesses.\n\n           Our audit was conducted in accordance with Generally Accepted Government\n           Auditing Standards prescribed by the Comptroller General of the United States\n           and included such tests as we considered necessary to detect fraud. Details of our\n           scope and methodology are described in Exhibit B.\n\x0c                                                                                                                       2\n\n\nINTRODUCTION\nFISMA requires Federal agencies to identify and provide security protections\ncommensurate with the risk and magnitude of harm resulting from the loss of,\nmisuse of, unauthorized access to, or modification of information collected or\nmaintained by or on behalf of the agency. DOT maintains one of the largest\nportfolios of IT systems among Federal civilian agencies; it is therefore essential\nthat the Department protect these systems, along with their sensitive data. In fiscal\nyear (FY) 2005, DOT\xe2\x80\x99s IT budget totaled about $2.7 billion.\n\nThe Department has 12 Operating Administrations (OA). However, two OAs\nwere reorganized during FY 2005: the Bureau of Transportation Statistics and the\nResearch and Special Programs Administration have been replaced by the Pipeline\nand Hazardous Materials Safety Administration and Research and Innovative\nTechnology Administration. This reorganization enables the Department to more\nefficiently coordinate and manage the Department\xe2\x80\x99s extensive research efforts and\nto expedite implementation of cross-cutting, innovative technologies.\n\nOwnership of computer systems was also realigned between the two new\ncomponent agencies. For FY 2005, the Department is reporting a total of\n451 computer systems\xe2\x80\x94about 7 percent fewer than last year\xe2\x80\x94as a result of its\ncontinued effort to consolidate systems for FISMA reporting. Among the systems\nthe Department maintains and operates is the air traffic control system, which the\nPresident has designated as part of the nation\xe2\x80\x99s critical infrastructure. Other\nsystems owned by the Department include safety-sensitive surface transportation\nsystems and financial systems that disburse over $50 billion in Federal funds each\nyear. Systems inventory counts for FY 2004 and FY 2005 in each OA are detailed\nin Exhibit C.\n\n\nRESULTS IN BRIEF\nLast year, we reported that DOT had made a concerted effort to correct security\nweaknesses identified in FY 2001, FY 2002, and FY 2003, years in which the\nDepartment reported its information security program as a material weakness\nunder the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA). 1 Progress noted in\nlast year\xe2\x80\x99s report included increased oversight of IT investment management and\nsecurity controls, strengthened protection of DOT\xe2\x80\x99s network infrastructure against\n\n1\n    A material internal control weakness is a significant deficiency in an agency\xe2\x80\x99s overall information systems security\n    program or management control structure or within one or more information systems that (1) significantly restricts\n    the capability of the agency to carry out its mission, or (2) compromises the security of its information, information\n    systems, personnel, or other resources, operations, or assets. The risk is great enough that the agency head and\n    outside agencies must be notified and immediate or near-immediate corrective action must be taken (OMB M-05-15,\n    \xe2\x80\x9cFY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\n    Management,\xe2\x80\x9d June 13, 2005).\n\x0c                                                                                                                       3\n\n\nintrusion, and increased security certification reviews. In addition, FAA\ncommitted to taking aggressive action to enhance air traffic control security. Based\non the progress made and management\xe2\x80\x99s commitment, DOT\xe2\x80\x99s information\nsecurity program was downgraded to a reportable condition last year. 2\n\nIn 2004, we also identified issues that required continued management attention,\nsuch as improving the quality of security certification reviews and making\nsignificant progress in enhancing air traffic control system security. DOT has\nworked to improve the quality of certification reviews and is now performing\nquality assurance reviews of systems already certified. Although the Department\nhas continued to make progress in these areas, much remains to be done, and new\nchallenges have also emerged. In addition, the Department did not implement a\nnumber of critical corrective actions 3 during FY 2005, partially due to turnover of\nkey security personnel in the Office of the Chief Information Officer.\n\nMeanwhile, FAA did not start in earnest to initiate aggressive actions to correct\npreviously identified air traffic control security deficiencies until April 2005, after\nthe Inspector General issued a letter to the Federal Aviation Administrator\nexpressing concerns over the slow pace of FAA\xe2\x80\x99s corrective actions. FAA\xe2\x80\x99s\nprogress improved, but since this effort only began in April, its overall progress in\nbetter securing air traffic control system operations for FY 2005 was insufficient.\n\nIn recent years, our office has issued several reports recommending that FAA act\nquickly to correct security deficiencies found in air traffic control systems. 4\nProviding adequate security over these facilities is critical because the President\nhas designated the air traffic control system part of the nation\xe2\x80\x99s critical\ninfrastructure due to the important role commercial aviation plays in fostering and\nsustaining the national economy and ensuring the safety and mobility of citizens.\nIn addition, our office is in the process of issuing two new reports identifying\ndeficiencies in security over FAA\xe2\x80\x99s system for maintaining air traffic control\nsurveillance, navigation, and communications equipment and deficiencies in\nphysical security at air traffic control facilities. Despite all the advanced\n\n2\n  A reportable condition is a security or management control weakness that does not rise to the level of a significant\n   deficiency, yet is still important enough to be reported to internal management (OMB M-05-15, \xe2\x80\x9cFY 2005 Reporting\n   Instructions for the Federal Information Security Management Act and Agency Privacy Management,\xe2\x80\x9d June 13,\n   2005).\n3\n   These include developing standards for secure configuration of Oracle databases used in many major Departmental\n   systems, ensuring timely correction of computer vulnerabilities identified, and directing OAs to relocate their system\n   recovery sites that are too close to DOT Headquarters.\n4\n   OIG Report Number FI-2004-078, \xe2\x80\x9cAudit of Security and Controls over En Route Center Computer Systems,\xe2\x80\x9d\n   August 9, 2004. OIG Report Number FI-2005-003, \xe2\x80\x9cAudit of Security and Controls over Technical Center\n   Computer Systems,\xe2\x80\x9d November 5, 2004. Most OIG reports can be accessed on our website: www.oig.dot.gov. The\n   Department has determined that these reports contain Sensitive Security Information (SSI) as defined by 49 CFR\n   Part 1520. Accordingly, they are not available for public inspection or copying. The regulations provide that, under\n   the Freedom of Information Act (FOIA) and the Privacy Act, should a document contain both SSI and non-SSI\n   information, the Department may disclose the document with the SSI information redacted, so long as this\n   information is not otherwise exempt from disclosure under FOIA or the Privacy Act.\n\x0c                                                                                                             4\n\n\ntechnologies deployed in today\xe2\x80\x99s environment, adequate physical security is\nessential to ensuring safe and uninterrupted air traffic control services to the\nAmerican public. In FY 2005, the Government Accountability Office also\nidentified the need to enhance computer security protection in air traffic control\nsystems and physical security protection at air traffic control facilities. 5\n\nThe most significant challenges are summarized below.\n\n\nThe Department Faces a Challenge in Recertifying Systems Security\nWhile Enhancing the Quality of Certifications\nLast year, the Department increased the percentage of systems completing security\ncertification reviews from 33 percent to over 90 percent. However, DOT has a\nsignificant challenge ahead in recertifying systems while improving the quality of\nsystem certifications. OMB requires Federal systems security to be recertified at\nleast every 3 years because systems are constantly changed to support evolving\nbusiness and technical needs.\n\nUnlike last year, the Department did not have a planned schedule or designated\nresources to perform this task during FY 2005. In late August, we brought to\nmanagement\xe2\x80\x99s attention that about 15 percent of Departmental systems were\noverdue for recertification. Since then, the Department engaged in a very\nambitious plan to recertify the security of these systems by the end of the fiscal\nyear. Committing resources to recertifying systems security will be a continuing\nchallenge to the Department, with more than 300 systems due for recertification in\nthe next 2 years.\n\nThe quality of the security certification reviews improved during FY 2005. Last\nyear, we reported deficiencies such as inadequate risk assessments, a lack of\nevidence of security tests, and systems accredited by inappropriate officials. This\nyear our sample review of 20 system security certification reviews identified fewer\ndeficiencies in the 6 certification reviews completed in FY 2005. Nonetheless,\nimproving the quality of the certification reviews will be a major challenge to the\nDepartment because of the large number of systems that will need to be recertified\nin 2006 and 2007.\n\n\n\n\n5\n    GAO-05-712, \xe2\x80\x9cInformation Security: Progress Made, but Federal Aviation Administration Needs to Improve\n    Controls over Air Traffic Control Systems,\xe2\x80\x9d September 26, 2005.\n\x0c                                                                                                                       5\n\n\nThe Department Needs To Better Manage Correction of Systems\nSecurity Deficiencies\nDuring FY 2005, the Department collected detailed data to track and prioritize\nefforts to correct identified security weaknesses, as required by OMB.6 With this\nmore complete view, it became clear that the Department needs to strengthen its\nsystem security correction activities to ensure that weaknesses are being fixed in a\ntimely manner and that the most critical weaknesses are corrected first. Currently,\nthe Department has about 3,000 weaknesses that need to be fixed. However,\nmanagement could not effectively prioritize their correction because 1,620 of the\nweaknesses are missing information such as their severity and the cost needed to\ncorrect them. However, some of these weaknesses clearly require immediate\naction. For example, one of the pending actions is to enhance password security\nprotection in a system that contains privacy information. This inexpensive fix\nwould significantly reduce the risk of unauthorized access.\n\nWe understand that management cannot tackle every deficiency at once, especially\nin today\xe2\x80\x99s tight budget environment. Management has to make realistic decisions,\nbalancing system importance, risk, and cost in prioritizing remediation efforts.\nYet items requiring immediate attention should not be allowed to be delayed. We\nfound that more than 300 identified deficiencies had passed their target completion\ndates by more than 6 months. Some of these overdue items were deemed to have\na severe impact on the integrity of program operations, such as causing adverse\neffects on communications among air traffic control facilities.\n\n\nFAA Did Not Take Aggressive Actions To Enhance Air Traffic Control\nSystems Security\nLast year FAA committed to completing security reviews of all operational air\ntraffic control systems\xe2\x80\x94at en route, approach control, and airport terminal\nfacilities\xe2\x80\x94within 3 years and to identifying a cost-effective alternative to restoring\nessential air service in the event of prolonged service disruption at an en route\nfacility.\n\nDuring FY 2005, FAA took limited steps in fulfilling its commitment to address\nprior air traffic control systems security recommendations. FAA fell short of fully\naddressing its commitments, as identified below:\n\n\xe2\x80\xa2 FAA collected system security information on only about half of the systems\n  used to support en route (high-altitude) air traffic services. En route centers\n  currently rely on approximately 30 systems to deliver safe and efficient air\n6\n    The process employed to track and prioritize security remediation efforts is referred to as a plan of action and\n    milestones (POA&M) in DOT\xe2\x80\x99s FISMA reporting to OMB.\n\x0c                                                                                                                6\n\n\n      traffic control services. Since information was collected only on half of the\n      systems, other critical systems, such as the system that routes critical weather\n      and flight plan data to all en route centers, were not reviewed.\n\n\xe2\x80\xa2 FAA has not analyzed the information collected and therefore has not\n  determined what remediation work is needed to better secure operational\n  en route systems.\n\n\xe2\x80\xa2 FAA officials did not perform any independent testing on-site.             As\n  demonstrated by the Government Accountability Office and our reports, testing\n  is the key to identifying potential security breaches. Performing independent\n  testing on high-risk systems is also required by FISMA. 7\n\nFinally, while FAA has identified a cost-effective alternative to restoring essential\nen route air service in case of prolonged service disruption, it is years away from\nimplementing the alternative. Implementing the selected alternative is a\ncomplicated endeavor but critical to supplementing FAA\xe2\x80\x99s current business\ncontinuity strategy, one that has worked well in the past in dealing with temporary,\nless severe service disruptions.\n\n\nDepartmental Oversight of Major System Investments Needs To Be\nEnhanced\nLast year, we reported that the Departmental Investment Review Board needed to\nperform more substantive and proactive reviews of IT investments managed by\nindividual OAs. This remains a challenge, especially for air traffic control\nmodernization projects, which account for over 80 percent of the Department\xe2\x80\x99s IT\nbudget.\n\nThis year, the Board reviewed investment projects managed by various OAs,\nincluding FAA. While projects managed by most OAs have benefited from the\nBoard\xe2\x80\x99s oversight, the Board has had little positive impact on complicated air\ntraffic control projects, which are still experiencing significant cost increases and\nschedule delays. We reviewed 16 FAA major acquisitions and found that\n9 projects had experienced schedule delays of 2 to 12 years and 11 projects had\nexperienced cost growth of about $5.6 billion (from $8.9 billion to $14.5 billion).\nThe bulk of the cost growth represented by the $5.6 billion occurred before the\nestablishment of the new Air Traffic Organization and had been building for some\ntime without being recognized. Some of the major investment projects have\n\n7\n    FISMA requires agencies to meet the minimum Government security standards developed by the National Institute\n    of Standards and Technology (NIST). NIST Special Publication 800\xe2\x80\x9337, \xe2\x80\x9cGuide for the Security Certification and\n    Accreditation of Federal Information Systems,\xe2\x80\x9d requires independent security testing when reviewing high-risk\n    systems.\n\x0c                                                                                 7\n\n\nexperienced persistent cost and schedule problems, such as the Wide Area\nAugmentation System and the Standard Terminal Automation Replacement\nSystem.\n\nNine years after Congress passed acquisition reform for FAA, exempting it from\ncompliance with Federal acquisition regulations, air traffic control modernization\nprojects are still experiencing performance problems, along with the cost increases\nand schedule delays. Further, FAA\xe2\x80\x99s acquisition process has stayed on the\nGovernment Accountability Office\xe2\x80\x99s high-risk list since 1995. Meanwhile, FAA\ncontinues to initiate new, costly, and complex IT modernization projects. This\nyear, two new multibillion-dollar FAA investment projects\xe2\x80\x94FAA\nTelecommunications Infrastructure and En Route Automation Modernization\xe2\x80\x94\nwent forward to OMB without reliable cost, schedule, and other project\ninformation. OMB rejected the budget submissions and asked the Board to\nreexamine business cases for these investment projects.\n\nWe are concerned that the Board\xe2\x80\x99s review of major FAA IT investment projects is\nnot providing value-added services as intended and is facing the risk of becoming\na paperwork exercise that provides little substantive value to the Secretary. There\nare two basic reasons for this.\n\n\xe2\x80\xa2 First, there is a lack of clarity about the Board\xe2\x80\x99s role in reviewing major FAA\n  investment projects. The Clinger-Cohen Act of 1996 requires the Secretary to\n  implement a process for \xe2\x80\x9cmaximizing the value and assessing and managing\n  the risks of the information technology acquisitions of the executive agency.\xe2\x80\x9d\n  The Board was created as part of this process and is tasked with advising the\n  Secretary whether to continue, modify, or terminate major IT investments.\n  However, FAA has frequently cited its independent acquisition authority,\n  based on provisions in the Department\xe2\x80\x99s Appropriations Act for Fiscal Year\n  1996, to argue that the Board should play only a limited role in overseeing\n  FAA investments. The provision in the Appropriations Act exempted FAA\n  from compliance with the Federal acquisition regulations and key Federal\n  procurement laws to help make the acquisition process more timely and cost-\n  effective.\n\n   The issue that needs to be resolved is whether FAA\xe2\x80\x99s exemption from\n   compliance with the Federal procurement regulations also applies to\n   management oversight required by the Clinger-Cohen Act. Until this issue is\n   resolved, it is our opinion that the Board\xe2\x80\x99s continued \xe2\x80\x9creview\xe2\x80\x9d of FAA\xe2\x80\x99s\n   multibillion-dollar investment projects will not result in \xe2\x80\x9cmaximizing the value\n   and assessing and managing the risks of the information technology\n   acquisitions\xe2\x80\x9d and will impede the Secretary\xe2\x80\x99s ability to fulfill his Clinger-\n   Cohen Act requirements.\n\x0c                                                                                 8\n\n\n\xe2\x80\xa2 Second, to be effective, the Board needs to perform more substantive, in-depth,\n  analytical reviews of progress, problems, and risks associated with these\n  complicated investments. The current level of support available to the Board is\n  not sufficient to allow the members to make responsible decisions about these\n  investments. The Board relies on the \xe2\x80\x9cprep group\xe2\x80\x9d process, during which OA\n  representatives perform a cursory review of each other\xe2\x80\x99s investment projects.\n  This \xe2\x80\x9cprep group\xe2\x80\x9d is led by an Associate Chief Information Officer with the\n  support of one mid-level staff person who came on board only 4 months ago.\n  Obtaining adequate support to research potential project shortfalls in cost,\n  schedule, and performance is essential if the Board is to perform oversight to\n  maximize the value and to manage the risks of major IT investments in the\n  Department.\n\nWe are making a series of recommendations on pages 21 through 23 of this report\nto help the Department strengthen its information security program and improve\noversight of its multibillion-dollar annual IT investments. The office of the\nDepartmental Chief Information Officer (CIO) agreed with our findings and\nrecommendations. We have requested that DOT provide written comments\ndescribing the specific actions it will take to implement these recommendations.\n\n\nFINDINGS\n\nSystems Security\nLast year, the Department made a concerted effort to increase the percentage of\nsystems completing the security certification review from 33 percent to over\n90 percent. However, the Department did not make the same commitment to this\ntask during FY 2005. As a result, we found that about 15 percent of Departmental\nsystems were overdue for recertification in late August. While the quality of the\nsecurity certification review has improved during FY 2005, continued\nmanagement attention is needed to ensure that quality is improved during system\nrecertification reviews. Further, DOT needs to improve the process it uses in\ncorrecting identified security weaknesses to ensure that weaknesses are prioritized\nand corrected in a timely manner.\n\n\nSystems Security Reviews Need To Be Updated\nConducting systems security certification reviews is not a one-time challenge but\nan ongoing business requirement. OMB requires Federal systems security be\nrecertified at least every 3 years because systems are constantly changed to\nsupport evolving business and technical needs. Expired security certification and\naccreditation reviews present little value to management. About 90 percent of all\n\x0c                                                                                                            9\n\n\nDOT systems will have to undergo security certification review between FY 2005\nand FY 2007, as shown in Table 1.\n\n\n       Table 1. DOT Systems Security Inventory Certification\n                        as of August 2005\n\n      OA*              Total            Systems Left           Systems To Be          Systems To Be\n                      Systems              To Be               Recertified in         Recertified in\n                                        Recertified in            FY 2006                FY 2007\n                                          FY 2005\n   FAA                   263                 40                        22                   155\n   FHWA                   25                 ---                        5                    19\n   FMCSA                  18                 ---                        6                    11\n   FRA                    21                 ---                        3                    16\n   FTA                     9                   1                        3                      2\n   MARAD                  12                 ---                        4                      2\n   NHTSA                  40                 31                         7                    ---\n   OST                    47                   3                       30                    11\n   PHMSA                   3                 ---                       33                    ---\n   RITA                   28                 ---                        3                      8\n   SLSDC                   1                 ---                        1                    ---\n   STB                     2                 ---                        2                    ---\n       Total             469                 75                       119                   224\n  * The full name of DOT Operating Administrations and system inventory counts for FY 2004 and FY 2005 is\n    contained in Exhibit C.\n\nHowever, in FY 2005, the Department did not assign a priority to completing\nsecurity recertification reviews. In late August, we found that 75 (15 percent) of\nDepartmental systems no longer had valid security certifications because the\nreviews were over 3 years old. We brought the issue to management\xe2\x80\x99s attention,\nand the Department engaged in an ambitious plan to recertify these systems by the\nend of the fiscal year. Our sample review of 20 systems also identified 3 systems\nwith expired security certifications. The Department needs to assign a priority to\ncompleting security recertification reviews during FY 2006 and FY 2007, when\nover 300 systems will need to be recertified.\n\nOMB also requires agencies to have systems security recertified sooner than every\n3 years if the system has experienced major changes. In our sample review, we\nfound four systems that had experienced major changes since they were certified\nand accredited, but none had been recertified. For example, one Maritime\nAdministration system was moved from a contractor\xe2\x80\x99s site to the DOT\nHeadquarters building in 2004, which completely changed its computing\nenvironment and thus could create new vulnerabilities. However, the Maritime\n\x0c                                                                                                                10\n\n\nAdministration does not plan to recertify the system until August 2006, when the\ncurrent certification review expires.\n\n\nQuality of Certification Reviews Needs To Be Enhanced\nLast year, we found deficiencies in the quality of systems security certification\nreviews, such as inadequate risk assessments, lack of evidence of security tests,\nand lack of proper senior management involvement in accrediting systems to\nsupport program operations. During FY 2005, the CIO Office increased its\noversight of the quality of certification reviews, as we recommended. OMB also\nrequires agencies to comply with standards established by the National Institute of\nStandards and Technology (NIST) in conducting security certification reviews\nafter. 8 We sampled 20 systems security reviews\xe2\x80\x9414 performed before May 2004\nand 6 after. Our test results indicated that the quality of certification reviews has\nimproved in the newer certification reviews (see Table 2).\n\n     Table 2.           Quality of Systems Security Certification Reviews\n\n      Number of Systems                Risk            No Evidence          Weakness Not                Not\n            Sampled                 Assessment         of Security          Summarized               Accredited\n           (Number)                  Missing             Testing                (3)                  by Proper\n                                        (1)                (2)                                        Official\n                                                                                                        (4)\n    Certified Before                       2                  6                     13                   0\n    May 2004 (14)\n    Certified After                        0                  1                      4                      1\n    May 2004 (6)\n     Total                                 2                  7                     17                      1\n\n\n(1) Risk Assessment. Government security standards require agencies to perform\n    security risk assessments based on potential impact to the confidentiality,\n    integrity, and availability of respective system operations.       The risk\n    assessment performed for two systems before May 2004 lacked such\n    specificity. A risk assessment is key because it determines the level of\n    security protection and the degree of testing needed to certify a system as\n    adequately secured commensurate with associated operational risks.\n\n\n\n8\n    Federal Information Processing Standards Number 199, \xe2\x80\x9cStandards for Security Categorization of          Federal\n    Information and Information Systems,\xe2\x80\x9d and NIST Special Publication 800\xe2\x80\x9337, \xe2\x80\x9cGuide for the Security Certification\n    and Accreditation of Federal Information Systems.\xe2\x80\x9d The special publication will become part of the minimum\n    Government security standards in December 2005.\n\x0c                                                                                     11\n\n\n(2) Security Testing. While a systems security certification review is valid for\n    3 years as long as no major changes are made to the system, agencies are also\n    required to perform limited annual security testing between certification\n    reviews. Since security testing is a critical component of the certification\n    review process, we independently tested a basic password security control in\n    four systems\xe2\x80\x94three certified before May 2004 and one after. All these\n    systems were certified as having the ability to \xe2\x80\x9clock out\xe2\x80\x9d users after they\n    entered three incorrect passwords. However, two of the three systems\n    certified before May 2004 failed our testing.\n\n(3) Summarizing Weaknesses. Last year, we recommended that the CIO Office\n    develop guidance for OAs to use in summarizing security test results that\n    would assist accrediting officials when they decide whether to allow the\n    system to operate. This area still requires more management attention.\n    Security weaknesses were not summarized in both old and new certification\n    reviews, inhibiting the ability of accrediting officials to easily evaluate\n    remaining risks. The final step in a security certification and accreditation\n    review is for the authorizing official to accept (or accredit) the system as\n    adequately secured, commensurate with its associated risks to support\n    business operations. Authorizing officials need to know what remaining risks\n    and corrective actions are planned before approving any system for operation.\n\n(4) Proper Certification and Accreditation. Last year, we recommended that the\n    CIO Office modify Departmental guidance to ensure that accreditation is done\n    by appropriate senior officials. However, we continue finding problems in\n    this area. One of the six certification reviews performed after May 2004 was\n    accredited by a mid-level system manager, not the senior official responsible\n    for the program office using the system. Obtaining system accreditation from\n    the correct authorizing official is critical because this official has to accept the\n    system risk (or impact) on business operations and also be able to allocate\n    budget resources to secure the system.\n\n\nMore Attention Needed To Correct Known Security Weaknesses\nIn reviewing DOT\xe2\x80\x99s plans of action and milestones to correct known security\nweaknesses, we identified several concerns with the process.\n\n\xe2\x80\xa2 There are about 3,000 known security weaknesses. However, management has\n  not assessed the severity of more than half of them (1,600) or provided cost\n  estimates for fixing the vast majority of these weaknesses. Without this\n  information, management cannot effectively prioritize the use of limited\n  resources so that the most significant weaknesses get fixed first. Some of these\n  unprioritized weaknesses require immediate remediation. For example, one of\n\x0c                                                                                        12\n\n\n   the pending corrections is to enhance password security protection in a system\n   that contains privacy information to reduce the risk of unauthorized access.\n\nPlanned remediation of more than 300 security deficiencies has been delayed for\nmore than 6 months past scheduled completion dates, including items deemed to\nhave a severe impact on the integrity of program operations, such as causing\nadverse effects on communications among air traffic control facilities (see\nTable 3).\n\n           Table 3. Remediation of Security Weaknesses\n\n            Status                                        Remediation Items\n             Prioritized\n               Overdue*                      309\n               Current                       896                    1,205\n             Not Prioritized                                        1,620\n               Total                                                2,825\n            *   Of the 309 overdue items, 7 were rated with high severity, 56 medium,\n                and 246 low.\n\n\n   We understand that not everything can be tackled at once, especially in today\xe2\x80\x99s\n   tight budget environment. Management has to make realistic decisions,\n   balancing system importance, risk, and costs in order to prioritize remediation\n   efforts. Yet management cannot effectively prioritize corrective actions if it\n   lacks information on the associated risks and costs.\n\n\xe2\x80\xa2 The system used to track known security weaknesses lacks security protection\n  itself. Currently, OA users not only can read but also can change the\n  information entered by other users. This is a clear violation of the\n  Department\xe2\x80\x99s policy for granting access to people on a need-to-know basis,\n  especially for sensitive information such as air traffic control system\n  weaknesses. Further, there is no management audit trail logging all changes\n  made to the system to ensure accountability.\n\nNetwork Security\nDOT maintains over 400 public web sites to provide Internet services to the\npublic, and tens of thousands of computers on its private networks process\nsensitive information. Together, they form the IT infrastructure to support DOT\nmissions. DOT has made significant strides in securing this infrastructure since\nwe started performing annual computer security audits in FY 2001. The most\nnoteworthy accomplishments include strengthening access security controls at the\nInternet connection points (the \xe2\x80\x9cfront doors\xe2\x80\x9d) and other network entry points (the\n\xe2\x80\x9cback doors\xe2\x80\x9d), establishing security incident-response centers, and regularly\n\x0c                                                                                          13\n\n\nchecking for potential vulnerabilities in network computers. Last year, we also\nreported that DOT started developing security configuration policies for\ncommonly used software.\n\nThis year, we found that the Department needs to enforce implementation of the\nsecurity configuration policies, ensure that computer vulnerabilities are corrected\nin a timely manner, and complete deployment of the intrusion-detection system at\none Internet connection point.\n\n\nSecurity Configuration Policy Needs To Be Enhanced and Enforced\nConfiguration management controls need enhancement and enforcement. Proper\nconfiguration is key to preventing computer vulnerabilities. FISMA requires each\nagency to develop specific IT security configuration requirements that meet its\nneeds and to implement the requirements. Last year, we reported that the CIO\nOffice issued baseline security standards for configuring computers using the\nfollowing five software packages: server-based Windows, Linux, Solaris, Cisco\n(router), and wireless devices such as personal digital assistants. OAs were\nrequired to configure their computers in accordance with these standards.\n\nHowever, there is little assurance that these security standards have been\nimplemented due to the lack of enforcement. In June 2005, the CIO Office asked\nOAs to provide information on their implementation status. Only 4 of the 12 OAs\nprovided statistics on their implementation efforts (see Table 4).\n\n\n     Table 4. Implementation of Security Configuration Policy\n Operating Administration                  Windows Servers   Cisco Router   Solaris   Linux\n Federal Highway Administration                 95%              46%          93%      n/a*\n Federal Motor Carrier Safety                  100%              85%            n/a     n/a\n Administration\n Research and Innovative                            92%          75%          94%     100%\n Technology Administration\n Federal Railroad Administration                    29%          49%           n/a     17%\n* n/a: not applicable because the technology is not used.\n\n\nAlso, two important configuration standards, the Oracle database and the web\napplication, are still not final and are both widely used in DOT. The Oracle\ndatabase is used in key application systems, such as the Departmental accounting\nsystem (Delphi), the Federal Highway Administration\xe2\x80\x99s grants management\nsystem, FAA\xe2\x80\x99s labor distribution system, and the National Highway Traffic Safety\nAdministration\xe2\x80\x99s defect investigation system. Web application software is used\n\x0c                                                                                14\n\n\nnot only to program web sites but also to serve as the front-door interface to key\nDOT systems. Vulnerabilities embedded in web application software could leave\nDOT systems open to attack. In response to last year\xe2\x80\x99s recommendations, the CIO\nOffice issued draft standards for secure configuration of the Oracle database on\nSeptember 27, 2004, and for web applications on September 29, 2004. However,\nthese standards are still not finalized, partially due to turnover of key security\npersonnel in the CIO Office.\n\nThe Department needs to immediately finalize the configuration standards for the\nOracle database and web applications and to develop enforcement mechanisms\nensuring that DOT computers are configured in accordance with security\nstandards.\n\n\nNetwork Vulnerabilities Need To Be Checked and Corrected in a Timely\nManner\nDOT still faces a challenge in patching of its computer systems in a timely\nmanner. Our recent audit of the Federal Railroad Administration systems network\nfound many vulnerabilities, some of which had been previously reported but\nremained uncorrected. These weaknesses enabled us to gain total control (root-\nlevel access) over a critical file server, desktop computers, and a network switch.\nFrom these computers, we accessed sensitive information that enabled us to gain\nunauthorized entry from the Internet and obtain sensitive information such as draft\nsafety inspection reports and proposed penalties for safety violations. Given the\ninterconnectivity among all DOT networks, this security lapse also puts other\nDepartmental systems at risk. Federal Railroad Administration management is\ntaking action to eliminate all critical vulnerabilities.\n\nThe recent Zotob worm attack also showed the need for more timely installation of\nsoftware patches. More than 700 DOT computers were infected by this worm.\nThe attack occurred 4 days after Microsoft Corporation released a patch to fix a\nsecurity flaw in its Windows operating system. In DOT, 7 of 12 OAs were\ninfected because they did not install the patch quickly, resulting in operational\ndisruption.\n\nThe Zotob worm was first introduced into DOT\xe2\x80\x99s network by a contractor who\nconnected his laptop computer to DOT\xe2\x80\x99s network, which was a violation of\nDepartmental policy. Nonetheless, this incident highlighted an emerging\nchallenge facing DOT and other Federal agencies concerning security checks on\ncomputers used by the telecommuting workforce. For example, about half of all\nFederal Railroad Administration computers are not subject to routine vulnerability\nchecks because they are being used by employees who telecommute (or travel\naround the country) for the majority of the year. These unchecked computers, if\n\x0c                                                                                                                       15\n\n\ninfected with hostile software, could become conduits for spreading problems to\nthe rest of the networks. DOT needs to develop a mechanism to ensure that all\ncomputers used by telecommuting employees are periodically checked for\nvulnerabilities and patched with the latest security upgrades.\n\n\nIntrusion-Detection Capability Needs To Be Improved\nIntrusion-detection systems are software or hardware systems used to help detect\neither the unauthorized use of or attack upon a computer or network. This security\nis particularly important to organizations with direct connections to the Internet\nbecause of relentless attacks by hackers worldwide. The Federal Railroad\nAdministration is one of the OAs with direct connections to the Internet.\nHowever, it has not fully deployed an intrusion-detection system, despite years of\neffort. Until the intrusion-detection system is fully implemented, DOT cannot\neffectively protect its computers in today\xe2\x80\x99s volatile network environment.\n\n\nSystem Continuity and Contingency Planning\nContingency plans allow business operations that depend on information systems\nto continue operating during system service disruptions. In FY 2003, we reported\ninadequate contingency planning for DOT systems (only 26 percent of systems\nhad such plans) and serious concerns about losing both primary and recovery\nprocessing sites for critical systems because they were close to each other. During\nFY 2004, DOT emphasized this area and reported a significant increase in systems\nwith contingency plans. However, this year we found insufficient testing of\ncontingency plans and continued problems with recovery site locations. The\nrecent events along the Gulf Coast underscore the importance of having adequate\ngeographic distance between primary and recovery sites for continuity of\noperations.\n\n\nContingency Plans Need To Be Tested\nOA management is required to assess the consequences of the loss of availability\nof its computer system services. If deemed to have a severe or catastrophic\nadverse effect on organizational operations, organizational assets, or individuals,\nmanagement should rate the potential impact \xe2\x80\x9chigh.\xe2\x80\x9d9 This year we reviewed a\nsample of 20 systems with different levels of impact\xe2\x80\x9455 high, 8 medium, and 7\n7 low. Overall, almost half had no contingency plan or recovery site identified,\n\n\n9\n    A loss of availability is the disruption of access to or use of information or an information system (FIPS Publication\n    199).\n\x0c                                                                                  16\n\n\nand 85 percent had not tested their contingency plans within the previous year (see\nTable 5).\n\n\n              Table 5. Contingency Planning and Testing\n\n       Availability Rating          High       Medium         Low         Total\n  Number of Systems Reviewed          5            8           7             20\n  No Contingency Plan                 1            4           4              9\n  No Recovery Sites Identified        1            4           5             10\n  No Current Testing of               4            8           5             17\n  Contingency Plan\n\n\nIn these times of budgetary constraints, it is important to prioritize which\nprograms and systems are most critical and therefore most in need of continuity of\noperations during an emergency. For the five high-impact systems, only one\nsystem has met all criteria (i.e., having a contingency plan, having a recovery site,\nand having the plan tested): the National Driver Registry, managed by the\nNational Highway Traffic Safety Administration. The remaining four high-impact\nsystems are all FAA systems. One system that is used to record airman medical\nexamination information did not even have a contingency plan. No contingency\nplan testing had been performed for any of these systems, including the ones\ncritical to time-sensitive air traffic control services.\n\n\nRecovery Sites Need To Be Further Separated From Primary Sites\nAs we reported in both FY 2003 and FY 2004, some OA recovery sites are too\nclose to the primary processing sites for their computer systems, thus risking loss\nof processing capability from both sites to the same disaster. The CIO Office\nagreed to develop Departmental policy establishing the minimum distance\nrequirement between the two processing sites. However, after 2 years, the policy\nhas yet to be developed. None of the OAs has relocated its recovery site to reduce\nthe exposure. For example, the geographic distances between the two sites are\nstill 10 miles for highway systems, 15 miles for transportation statistics systems,\nand 25 miles for transit systems. As we learned during the 2005 hurricane season,\ndisasters can cover a very wide area.\n\nDOT needs to develop and test contingency plans for the most critical systems,\ndevelop a policy on minimum geographical distance between primary and\nrecovery sites, and enforce this policy.\n\x0c                                                                                                                    17\n\n\nProtecting the Nation\xe2\x80\x99s Critical Infrastructure\nThe President has designated the air traffic control system part of the nation\xe2\x80\x99s\ncritical infrastructure due to the important role commercial aviation plays in\nfostering and sustaining the national economy and ensuring the safety and\nmobility of citizens. FAA is responsible for ensuring that air traffic control\nfacilities, systems, and operations are protected from disruption from man-made or\nnatural events and are able to resume services in a timely manner if disrupted.\n\nLast year, we reported that security certification reviews of en route10 air traffic\ncontrol computer systems needed to be enhanced. In particular, while officials had\ncertified that en route systems were adequately secured, the reviews did not meet\nNIST requirements because they were limited to developmental systems at FAA\xe2\x80\x99s\ntechnical center computer laboratory. FAA committed to completing security\nreviews of all operational air traffic control systems\xe2\x80\x94at en route, approach\ncontrol, and airport terminal facilities\xe2\x80\x94within 3 years. It also agreed to identify a\ncost-effective contingency plan to restore essential air service should a prolonged\ndisruption affect service at an en route facility. Implementing the selected plan is\na complicated endeavor but critical to supplementing FAA\xe2\x80\x99s current business\ncontinuity strategy, one that has worked well in the past in dealing with temporary,\nless severe service disruptions.\n\nYet FAA did not start aggressive actions to correct air traffic control security\ndeficiencies previously identified until April of this year, after the DOT Inspector\nGeneral issued a letter to the Federal Aviation Administrator expressing concerns\nover the slow pace of FAA\xe2\x80\x99s corrective actions. Progress improved, but since this\neffort only began in April, overall progress during FY 2005 to better secure air\ntraffic control system operations was insufficient.\n\n\nSecurity Certification Reviews Need To Be Expanded\nDuring FY 2005, FAA officials reported that they had conducted security reviews\nat all en route centers; however, these \xe2\x80\x9creviews\xe2\x80\x9d were incomplete. First, FAA\nconducted site reviews to gather system information only\xe2\x80\x94which has not yet been\nanalyzed\xe2\x80\x94and only on 16 of the 30 high-risk systems used to control air traffic at\nits en route centers. Since information was collected on only half of the systems,\nother critical systems, such as the system that routes critical weather and flight\nplan data to all en route centers, were not reviewed. It plans to analyze the data\nduring FY 2006 to determine what remediation work will need to be done.\n\n\n\n10\n     En route centers control traffic over 18,000 feet (high-altitude), approach control centers control traffic between\n     4,000 and 18,000 feet (mid-level), and airport control towers control landings and takeoffs.\n\x0c                                                                                  18\n\n\nSecond, no independent testing was performed at operational sites. Such on-site\ntesting is required to meet minimum Government security standards and is critical\nfor these systems. Our prior work identified different system configurations\nbetween the baseline (development) system and the operational systems.\nIndependent testing may be the only way to detect such differences and assess the\nsecurity implications.\n\nFAA also needs to develop a schedule and commit resources to conducting\nsecurity reviews of operational systems used at other air traffic control facilities.\nThis includes systems used to monitor mid-level air traffic at approach control\ncenters and those used to direct landings and takeoffs at airport control towers. It\nhas previously committed to completing these reviews in 2006 and 2007,\nrespectively.\n\n\nThe Selected Contingency Plan Needs To Be Implemented\nOperational disruptions at any air traffic control facility have the potential to\ncreate significant delays and interruption of air service. Prolonged outages at\nmajor facilities, such as en route centers, could severely disrupt air traffic in\ncascading waves across the country, causing significant economic losses and\nsubjecting travelers to widespread delays and inconvenience. FAA\xe2\x80\x99s current\nbusiness continuity strategy has worked well in the past in dealing with temporary\nservice disruptions, such as power outages. This year, FAA has selected a cost-\neffective alterative to restore essential air traffic service in case of prolonged\ndisruption at an en route facility, but FAA is years away from implementing it.\n\nImplementing this alternative will be a complicated endeavor. It will require\nrestoring computer system operations at recovery centers, rerouting radar signals,\nand retraining or relocating air traffic controllers familiar with the affected\nairspace. We recognize that FAA faces critical decisions in balancing its priorities\nin today\xe2\x80\x99s tight budget environment with declining aviation trust fund revenues.\nYet items requiring immediate attention should get that attention. FAA needs to\nstart testing recovery of computer operations at back-up en route centers and\naggressively pursue the plan to identify air traffic controllers to operate the\nreconfigured airspace.\n\n\nManagement Controls\nWith an annual IT budget of about $2.7 billion, DOT is responsible for one of the\nlargest IT investment portfolios among civilian agencies. As such, it needs to\nhave processes in place that provide reasonable assurance that its major IT projects\nare adequately justified and monitored to ensure that they deliver promised\nbenefits approximately on time and within budget. The Departmental Investment\n\x0c                                                                                  19\n\n\nReview Board is charged with exercising executive-level oversight to provide that\nassurance to the Secretary. Last year, we reported that the Board needed to\nperform more substantive and proactive reviews of IT investments managed by\nindividual OAs. The Board has improved its reviews of investments by most OAs\nbut has been unable so far to have a significant impact on FAA\xe2\x80\x99s air traffic control\nmodernization projects, which are the most complex and challenging systems and\naccount for over 80 percent of the Department\xe2\x80\x99s IT budget.\n\nThe Investment Review Board\xe2\x80\x99s Role Needs To Be Clarified\nThis year, the Board reviewed investment projects managed by various OAs,\nincluding FAA. While projects managed by most OAs have benefited from the\nBoard\xe2\x80\x99s oversight, the Board has had little positive impact on complicated air\ntraffic control projects, which are still experiencing significant cost increases and\nschedule delays. We reviewed 16 major FAA acquisitions and found that 9 of\nthem had experienced schedule delays of from 2 to 12 years, and 11 had\nexperienced cost growth of about $5.6 billion (from $8.9 billion to $14.5 billion).\nThe bulk of the cost growth represented by the $5.6 billion occurred before the\nestablishment of the new Air Traffic Organization and had been building for some\ntime without being recognized. Some of the major investment projects have\nexperienced persistent cost and schedule problems, such as the Wide Area\nAugmentation System and the Standard Terminal Automation Replacement\nSystem.\n\nNine years after Congress passed acquisition reform for FAA, exempting it from\ncompliance with Federal acquisition regulations, air traffic control modernization\nprojects are still experiencing performance problems, along with the cost increases\nand schedule delays. Further, FAA\xe2\x80\x99s acquisition process has stayed on the\nGovernment Accountability Office\xe2\x80\x99s high-risk list since 1995. Meanwhile, FAA\ncontinues to initiate new, costly, and complex IT modernization projects. This\nyear, two new multibillion-dollar FAA investment projects\xe2\x80\x94FAA\nTelecommunications Infrastructure and En Route Automation Modernization\xe2\x80\x94\nwent forward to OMB without reliable cost, schedule, and other project\ninformation. OMB rejected the budget submissions and asked the Board to\nreexamine business cases for these investment projects.\n\nWe are concerned that the Board\xe2\x80\x99s review of major FAA IT investment projects is\nnot providing value-added services as intended. Consequently, the Board\xe2\x80\x99s role\nrisks becoming a paperwork exercise with little substantive value added to help the\nSecretary. There are two basic reasons for this.\n\n\xe2\x80\xa2 First, there is a lack of clarity about the Board\xe2\x80\x99s role in reviewing major FAA\n  investment projects. The Clinger-Cohen Act of 1996 requires the Secretary to\n  implement a process for \xe2\x80\x9cmaximizing the value and assessing and managing\n\x0c                                                                                    20\n\n\n   the risks of the information technology acquisitions of the executive agency.\xe2\x80\x9d\n   The Board was created as part of this process and is tasked with advising the\n   Secretary regarding whether to continue, modify, or terminate major IT\n   investments in the Department. However, FAA has frequently cited its\n   independent acquisition authority, based on provisions in the Department\xe2\x80\x99s\n   Appropriations Act for Fiscal Year 1996, to argue that the Board should play\n   only a limited role in overseeing FAA investments. The provision in the\n   Appropriations Act exempted FAA from compliance with the Federal\n   acquisition regulations and key Federal procurement laws to help make the\n   acquisition process more timely and cost-effective.\n\n   The issue that needs to be resolved is whether FAA\xe2\x80\x99s exemption from\n   compliance with the Federal procurement regulations also applies to the\n   investment management oversight requirements of the Clinger-Cohen Act.\n   Until this issue is resolved, it is our opinion that the Board\xe2\x80\x99s continued\n   \xe2\x80\x9creview\xe2\x80\x9d of FAA\xe2\x80\x99s multibillion-dollar investment projects will not provide\n   reasonable assurance to the Secretary that FAA\xe2\x80\x99s major IT investments are\n   adequately justified and monitored to ensure that they deliver promised\n   benefits approximately on time and within budget. This will, in turn, impede\n   the Secretary\xe2\x80\x99s ability to fulfill his responsibilities under the Clinger-Cohen\n   Act.\n\n\xe2\x80\xa2 Second, to be effective, the Board needs to perform more substantive, in-depth,\n  analytical reviews of progress, problems, and risks associated with these\n  complicated investments. The current level of support available to the Board is\n  not sufficient to allow its members to make responsible decisions about these\n  investments. The Board relies on the \xe2\x80\x9cprep group\xe2\x80\x9d process, during which OA\n  representatives perform a cursory review of each other\xe2\x80\x99s investment projects.\n  This \xe2\x80\x9cprep group\xe2\x80\x9d is led by an Associate Chief Information Officer with the\n  support of one mid-level staff person, who came on board only 4 months ago.\n  Obtaining adequate support to research potential shortfalls in project cost,\n  schedule, and performance is essential if the Board is to perform oversight that\n  will maximize the value and to manage the risks of major IT investments in the\n  Department.\n\nMore Focus Is Needed To Implement Management Tools To Track\nProgress of Major Systems\nLast year, we recommended that the CIO Office develop a better process to select\ninvestment projects for the Board\xe2\x80\x99s review. During FY 2005, the Department\nstarted using a sophisticated tool to identify at-risk projects for the Board\xe2\x80\x99s review:\nEarned Value Management (EVM). This approach measures progress against\napproved cost and schedule baselines. Through these measures, management can\nspot early projects that are falling behind schedule or are running over cost, before\n\x0c                                                                                21\n\n\nthey become \xe2\x80\x9ctroubled\xe2\x80\x9d (experiencing a greater-than-10-percent variance from the\nbaseline).\n\nHowever, EVM usage at DOT is still in its infancy and is not yet being applied\ncorrectly across the Department. OMB recently issued a memorandum to all\nagencies, entitled \xe2\x80\x9cImproving IT Project Planning and Execution,\xe2\x80\x9d which outlines\nthe need for further improvement Governmentwide in the use of EVM and listed\n32 criteria developed by the American National Standards Institute. A recent\nstudy conducted by FAA on 19 major acquisition projects indicated that EVM\nreporting for over 60 percent of the projects did not meet OMB criteria.\n\nIt is also important that the OAs apply EVM measurements based on complete and\naccurate information. Otherwise, the tool will produce misleading results. For\nexample, when evaluating whether a multibillion-dollar telecommunications\nproject was proceeding according to schedule, FAA used \xe2\x80\x9csite acceptance\xe2\x80\x9d\xe2\x80\x94how\nmany sites had equipment installed and tested\xe2\x80\x94to measure progress. However,\nsite acceptance was only an interim step toward the ultimate goal of switching\ncommunications services to the new network. By using site acceptance as the\nmeasure, management was led to believe that the project was closer to completion\nthan it actually was. DOT needs to ensure that OAs implement EVM management\ntools effectively by, for example, making sure that OAs provide accurate and\ncomplete information for EVM measurement. EVM training will also need to be a\nkey focus in the coming year.\n\n\nRECOMMENDATIONS\nIn order to strengthen the Department\xe2\x80\x99s information security posture and reduce its\nvulnerability to economic or operational harm, we recommend that the\nDepartment CIO:\n\nEnhance computer systems security reviews by:\n\n   1. Requiring OAs to submit planned schedules for completing systems\n      security (re)certification reviews throughout FY 2006 and conduct\n      quarterly reviews of the progress made against the plans.\n\n   2. Increasing sample checks of OAs\xe2\x80\x99 systems security reviews to ensure\n      compliance with minimum Government standards, including performing\n      recertification reviews of any systems that have experienced major\n      changes.\n\x0c                                                                                 22\n\n\n   3. Ensuring that OAs assess the severity of identified security weaknesses,\n      estimate correction costs, and prioritize the remediation effort accordingly\n      and ensuring that OAs correct deficiencies in a timely manner.\n\n   4. Enhancing security of the DOT system that tracks the plan of action and\n      milestones by limiting access to those with a need to know and developing\n      management audit trails to track changes made in the system.\n\nEnhance DOT network security by:\n\n   5. Finalizing Departmental security standards for configuring the Oracle\n      database and web application software on DOT systems and validating that\n      DOT computers are configured in accordance with established security\n      standards.\n\n   6. Verifying that OAs are correcting computer vulnerabilities and installing\n      manufacturers\xe2\x80\x99 software patches in a timely manner.\n\n   7. Developing a mechanism to ensure that all computers used by\n      telecommuting employees are periodically checked for vulnerabilities and\n      patched with the latest security upgrades.\n\n   8. Working with the Federal Railroad Administration to fully implement an\n      intrusion-detection system on its network.\n\nEnhance the DOT continuity of operations plan by:\n\n   9. Requiring the OAs to prepare and test contingency plans and to provide\n      evidence that the contingency plan for critical information systems has\n      been successfully tested.\n\n   10. Developing Departmental policy establishing the minimum acceptable\n       geographical distance between the primary and recovery processing sites\n       for information systems, and setting a target completion date for the OAs\n       to comply with the policy.\n\nEnhance critical infrastructure protection by:\n\n   11. Directing FAA to complete, by the end of FY 2006, security certification\n       reviews that meet NIST standards for operational air traffic control\n       systems at en route centers and to complete security reviews at other\n       operational sites (e.g., approach control centers and airport control towers)\n       by the end of FY 2007, as FAA has committed to doing.\n\x0c                                                                              23\n\n\n   12. Ensuring that FAA continues to implement its en route continuity of\n       operations plan by testing recovery of computer operations at back-up\n       en route centers and identifying air traffic controllers to operate the\n       reconfigured airspace during FY 2006.\n\n   13. Periodically reviewing the progress and quality of FAA\xe2\x80\x99s certification\n       reviews and en route continuity of operations plan implementation.\n\nEnhance IT investment management controls by:\n\n   14. Clarifying, in consultation with the Secretary, the Departmental\n       Investment Review Board\xe2\x80\x99s role in performing investment management\n       oversight of FAA\xe2\x80\x99s major investments.\n\n   15. Identifying resources and processes to better support the Board by\n       performing more substantive, in-depth, analytical reviews of progress,\n       problems, and risks associated with major FAA investments.\n\n   16. Ensuring that the OAs receive training in using the EVM management tool\n       and that they use the tool effectively by including accurate and complete\n       cost and schedule information.\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\nThe CIO Office reviewed a draft of this report and provided oral comments. CIO\nOffice officials agreed with the report\xe2\x80\x99s findings and recommendations and stated\nthat they will provide written comments describing the specific actions they will\ntake to implement the recommendations.\n\n\nACTIONS REQUIRED\nIn accordance with DOT Order 8000.1C, we would appreciate receiving your\nwritten comments on this report within 30 calendar days. Please indicate the\nspecific actions taken or planned for each recommendation and a target date for\ncompletion. You may provide alternative courses of action that you believe would\nresolve the issues presented in this report.\n\nWe appreciate the courtesies and cooperation of the Office of the CIO and the\nOAs\xe2\x80\x99 representatives during this audit. If you have any questions concerning this\n\x0c                                                                            24\n\n\nreport, please call me at (202) 366-1959 or Theodore Alves, Principal Assistant\nInspector General for Auditing and Evaluation, at (202) 366-1992.\n\n\n\n                                      #\n\ncc: Deputy Secretary\n    Federal Aviation Administrator\n    Martin Gertel, M-1\n\x0c                Exhibit A. OIG Input to FISMA Report                                                                                                                                                                  25\n\n                                                                                       Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                             Agency Name: Department of Transportation\n\n                                                                                                            Question 1 and 2\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n            To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n            1) Continue to use NIST Special Publication 800-26, or,\n            2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n\n            Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\n            requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of systems\nwhich have completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n                                                                                                Question 1                                                                               Question 2\n                                                                       a.                           b.                           c.                             a.                        b.                              c.\n                                                              FY 05 Agency Systems           FY 05 Contractor          FY 05 Total Number of          Number of systems         Number of systems for           Number of systems for\n                                                                                                 Systems                      Systems               certified and accredited    which security controls        which contingency plans\n                                                                                                                                                                                 have been tested and            have been tested in\n                                                                                                                                                                               evaluated in the last year     accordance with policy and\n                                                                                                                                                                                                                      guidance\n\n\n\n                                    FIPS 199 Risk Impact        Total        Number         Total     Number                         Number          Total       Percent of       Total       Percent of\nBureau Name                                Level               Number       Reviewed       Number    Reviewed Total Number          Reviewed        Number         Total         Number         Total         Total Number Percent of Total\nFAA                                   High                             81              5          11         2          92                      7            5         71.4%              5          71.4%                               0.0%\n                                      Moderate                        126              3           8                   134                      3            2         66.7%              3         100.0%                               0.0%\n                                      Low                              42                          3                    45                      0\n                                      Not Categorized                                                                    0                      0                                                                        0\n                                   Sub-total                         249               8          22         2         271                     10            7         70.0%              8           80.0%              0               0.0%\nFHWA                                  High                             7                                                 7                      0\n                                      Moderate                        13                           1                    14                      0\n                                      Low                              2                           1                     3                      0\n                                      Not Categorized                                  1                                 0                      1            1        100.0%              0           0.0%               1          100.0%\n                                   Sub-total                           22              1           2         0          24                      1            1        100.0%              0           0.0%               1          100.0%\nFMCSA                                 High                                                                               0                      0\n                                      Moderate                         13                          3                    16                      0\n                                      Low                               3                                                3                      0\n                                      Not Categorized                                  1                                 0                      1            1        100.0%              1         100.0%               0               0.0%\n                                   Sub-total                           16              1           3         0          19                      1            1        100.0%              1         100.0%               0               0.0%\nFRA                                   High                                                                               0                      0\n                                      Moderate                         18              1           3                    21                      1            1        100.0%                          0.0%                               0.0%\n                                      Low                                                                                0                      0\n                                      Not Categorized                                                                    0                      0                                         0                              0\n                                   Sub-total                           18              1           3         0          21                      1            1        100.0%              0           0.0%               0               0.0%\nFTA                                   High                                                                               0                      0\n                                      Moderate                          8                          1                     9                      0\n                                      Low                                                                                0                      0\n                                      Not Categorized                                                        1           0                      1            1        100.0%              1         100.0%               0               0.0%\n                                   Sub-total                            8              0           1         1           9                      1            1        100.0%              1         100.0%               0               0.0%\nMARAD                                 High                                                                               0                      0\n                                      Moderate                          6                                                6                      0\n                                      Low                                                                                0                      0\n                                      Not Categorized                   7              1                                 7                      1            1        100.0%              0           0.0%               0               0.0%\n                                   Sub-total                           13              1           0         0          13                      1            1        100.0%              0           0.0%               0               0.0%\nNHSTA                                 High                                                                               0                      0\n                                      Moderate                          6                          1                     7                      0\n                                      Low                              10                          1                    11                      0\n                                      Not Categorized                                                        1           0                      1            1        100.0%              1         100.0%               1          100.0%\n                                   Sub-total                           16              0           2         1          18                      1            1        100.0%              1         100.0%               1          100.0%\nOST                                   High                              6                                                6                      0\n                                      Moderate                         18                          3                    21                      0\n                                      Low                              20                          3                    23                      0\n                                      Not Categorized                   2              2                                 2                      2            2        100.0%              1           50.0%              1           50.0%\n                                   Sub-total                           46              2           6         0          52                      2            2        100.0%              1           50.0%              1           50.0%\nPHMSA                                 High                              1                                                1                      0\n                                      Moderate                          1              1           1                     2                      1            1        100.0%                          0.0%                               0.0%\n                                      Low                               1                                                1                      0\n                                      Not Categorized                                                                    0                      0                                         0                              0\n                                   Sub-total                            3              1           1         0           4                      1            1        100.0%              0           0.0%               0               0.0%\nRITA                                  High                                                                               0                      0\n                                      Moderate                         16                                               16                      0\n                                      Low                               1                                                1                      0\n                                      Not Categorized                                  1                                 0                      1            1        100.0%              1         100.0%               0               0.0%\n                                   Sub-total                           17              1           0         0          17                      1            1        100.0%              1         100.0%               0               0.0%\nSLSDC                                 High                                                                               0                      0\n                                      Moderate                                                                           0                      0\n                                      Low                               1                                                1                      0\n                                      Not Categorized                                                                    0                      0\n                                   Sub-total                            1              0           0         0           1                      0\nSTB                                   High                                                                               0                      0\n                                      Moderate                          2                                                2                      0\n                                      Low                                                                                0                      0\n                                      Not Categorized                                                                    0                      0\n                                   Sub-total                            2              0           0         0           2                      0\nAgency Totals                         High                             95              5           11             2           106              7             5         71.4%              5           71.4%              0               0.0%\n                                      Moderate                       227               5           21             0           248              5             4         80.0%              3           60.0%              0               0.0%\n                                      Low                             80               0            8             0            88              0             0                            0                              0\n                                      Not Categorized                  9               6            0             2             9              8             8        100.0%              5           62.5%              3           37.5%\n                                   Total                             411              16           40             4           451              20           17         85.0%             13           65.0%              3           15.0%\n\n\n                Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                                                                                                     26\n                                                                                                                  Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n                                    The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                    agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                    national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 requirements by a contracto\n                                    or other organization is not sufficient, however, self-reporting by another Federal agency may be sufficient.\n\n                                    Response Categories:\n                 3.a.                                                                                                                                             - Almost Always, for example, approximately 96-100% of the time\n                                         - Rarely, for example, approximately 0-50% of the time\n                                         - Sometimes, for example, approximately 51-70% of the time\n                                         - Frequently, for example, approximately 71-80% of the time\n                                         - Mostly, for example, approximately 81-95% of the time\n                                         - Almost Always, for example, approximately 96-100% of the time\n\n\n                                    The agency has developed an inventory of major information systems (including major national security systems) operated\n                                    by or under the control of such agency, including an identification of the interfaces between each such system and all othe\n                                    systems or networks, including those not operated by or under the control of the agency.\n\n                                    Response Categories:\n                3.b.                     - Approximately 0-50% complete                                                                                                - Approximately 96-100% complete\n                                         - Approximately 51-70% complete\n                                         - Approximately 71-80% complete\n                                         - Approximately 81-95% complete\n                                         - Approximately 96-100% complete\n\n\n\n                 3.c.               The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                    Yes\n\n                                    The OIG generally agrees with the CIO on the number of information systems\n                3.d.                used or operated by a contractor of the agency or other organization on behalf of        the agency.                                                            Yes\n\n\n                 3.e.               The agency inventory is maintained and updated at least annually.                                                                                               Yes\n\n\n                 3.f.               The agency has completed system e-authentication risk assessments.                                                                                               no\n\n                                                                                                                  Question 4\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the\nfollowing statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n                                    The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                 4.a.                                                                                                                                             - Mostly, for example, approximately 81-95% of the time\n                                    systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n                                    When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                4.b.                                                                                                                                              - Rarely, for example, approximately 0-50% of the time"\n                                    implement, and manage POA&Ms for their system(s).\n\n\n                                    Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                 4.c.                                                                                                                                             - Almost Always, for example, approximately 96-100% of the time\n                                    progress.\n\n\n                4.d.                CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                  - Rarely, for example, approximately 0-50% of the time"\n\n\n\n                 4.e.               OIG findings are incorporated into the POA&M process.                                                                         - Almost Always, for example, approximately 96-100% of the time\n\n\n                                    POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                 4.f.                                                                                                                                             - Rarely, for example, approximately 0-50% of the time"\n                                    timely manner and receive appropriate resources\n\nComments: The Department needed to strengthen its security remediation activities to ensure that weaknesses are being corrected in a timely manner and that the most critical weaknesses are corrected first.\nCurrently, the Department has about 3,000 weaknesses pending remediation. However, management could not effectively prioritize their correction because 1,620 weaknesses (more than half of the items in the\ndatabase) are missing information such as the severity of, and costs to correct, the weakness. However, some of these weaknesses clearly require immediate remediation.\n\n\n                                                                                                                  Question 5\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. Thi\nincludes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for\ncompleting risk assessments and security plans .\n                                    Assess the overall quality of the Department\'s certification and accreditation process\n\n                                    Response Categories:\n                                         - Excellent\n                                         - Good                                                                                                                   - Satisfactory\n                                         - Satisfactory\n                                         - Poor\n                                         - Failing\n\nComments: The quality of the security certification reviews has improved during FY 2005. This year our sample review of 20 systems security certification reviews, 6 of which were completed during FY 2005, identified\nfewer deficiencies in the newer certification reviews. Nonetheless, improving the quality of the certification reviews will be a major challenge to the Department when re-certifying more than 300 systems security in the\nnext 2 years.\n\n\n\n\n                  Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                                                   27\n                                                                 Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                       Agency Name:\n\n\n                                                                                        Question 6\n\n                        Is there an agency wide security configuration policy?\n       6.a.                                                                                                                                        Yes\n                        Yes or No.\n\n                        Comments:\n\n\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n       6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy\n                        on the systems running the software.\n\n\n\n\n                                                                                                                       Approximate the extent of implementation of the security\n                                                                                                                       configuration policy on the systems running the software.\n\n                                                                                                                       Response choices include:\n                                                                                                                       - Rarely, or, on approximately 0-50% of the\n                                                                                                                         systems running this software\n           Product                                                                                                     - Sometimes, or on approximately 51-70% of\n                                                                                                                         the systems running this software\n                                                                                                                       - Frequently, or on approximately 71-80% of\n                                                                        Addressed in\n                                                                                                                         the systems running this software\n                                                                     agencywide policy?      Do any agency systems     - Mostly, or on approximately 81-95% of the\n                                                                                               run this software?        systems running this software\n                                                                                                                       - Almost Always, or on approximately 96-100% of the\n                                                                            Yes, No,                                   systems running this software\n                                                                             or N/A.                  Yes or No.\n\n              Windows XP Professional\n                                                                                 Yes                     Yes\n              Windows NT\n                                                                                 Yes                     Yes\n                                                                                                                             - Frequently, or on approximately 71-80% of the systems\n              Windows 2000 Professional\n                                                                                 Yes                     Yes           running this software\n                                                                                                                             - Frequently, or on approximately 71-80% of the systems\n              Windows 2000 Server\n                                                                                 Yes                     Yes           running this software\n              Windows 2003 Server\n                                                                                 No                      Yes\n                                                                                                                             - Frequently, or on approximately 71-80% of the systems\n              Solaris\n                                                                                 Yes                     Yes           running this software\n              HP-UX\n                                                                                 No                      Yes\n                                                                                                                             - Frequently, or on approximately 71-80% of the systems\n              Linux\n                                                                                 Yes                     Yes           running this software\n                                                                                                                             - Sometimes, or on approximately 51-70% of the\n              Cisco Router IOS\n                                                                                 Yes                     Yes           systems running this software\n              Oracle\n                                                                                 No                      Yes\n\n              Other. Specify: Wireless\n                                                                                 Yes                     Yes\nComments: DOT has issued 5 configuration standards (server-based Windows, Linux, Solaris, Cisco and Wireless PDA). However, there is little assurance\nfor the implementation of these security standards. In June 2005, the CIO office asked OAs to provide implementation status on these standards. Only 4 of\nthe 12 OAs provided statistics on their implementation effort. Based on our review, the statistics provided by 4 OAs appeared to be reasonable and were\nused to form our answers above.\n\n\n                                                                                        Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                        The agency follows documented policies and procedures for identifying and reporting\n       7.a.             incidents internally.                                                                                                      Yes\n                        Yes or No.\n                        The agency follows documented policies and procedures for external reporting to law\n       7.b.             enforcement authorities.                                                                                                   Yes\n                        Yes or No.\n                        The agency follows defined procedures for reporting to the United States Computer\n       7.c.             Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                 Yes\n                        Yes or No.\nComments:\n\n\n\n           Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                                                     28\n                                                                Question 8\n\n       Has the agency ensured security training and awareness of all employees, including\n       contractors and those employees with significant IT security responsibilities?\n\n       Response Choices include:\n       - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                              - Sometimes, or approximately 51-70% of employees have\n8       - Sometimes, or approximately 51-70% of employees have sufficient training\n                                                                                             sufficient training\n        - Frequently, or approximately 71-80% of employees have sufficient training\n        - Mostly, or approximately 81-95% of employees have sufficient training\n        - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                                Question 9\n\n\n\n       Does the agency explain policies regarding peer-to-peer file sharing in IT security\n9      awareness training, ethics training, or any other agency wide training?                                           No\n       Yes or No.\n\n\n\n\n    Exhibit A. OIG Input to FISMA Report\n\x0c                                                                              29\n\n\n\n\nEXHIBIT B. SCOPE AND METHODOLOGY\nDuring FY 2005, we fulfilled the requirements under FISMA by reviewing DOT\xe2\x80\x99s\nmajor financial systems, FAA air traffic control systems, the Federal Railroad\nAdministration systems network, and the implementation of IT capital planning\nand investment control procedures. In addition, we sampled 20 systems that had\nundergone security certification reviews to determine whether the OAs had\ncomplied with Government and DOT standards in assessing system risks,\nidentifying security requirements, testing security controls, and accrediting\nsystems to support business operations.\n\nWe assessed DOT\xe2\x80\x99s progress in correcting weaknesses identified in last year\xe2\x80\x99s\nFISMA review. We also provided input to DOT\xe2\x80\x99s FISMA report by answering\nquestions specified by the Office of Management and Budget.\n\nWe used the audit methodologies recommended by the Government\nAccountability Office, and guidelines issued by other Government authorities such\nas the NIST. We used commercial scanning software to assess network\nvulnerabilities.\n\nWe performed our work throughout FY 2005, and focused on reviewing FISMA\nreporting between July 2005 and September 2005 at DOT and OAs\xe2\x80\x99 Headquarters\nlocated in Washington, DC. This performance audit was conducted in accordance\nwith Generally Accepted Government Auditing Standards prescribed by the\nComptroller General of the United States and included such tests as we considered\nnecessary to detect fraud.\n\nWe previously issued four audit reports on DOT\xe2\x80\x99s information security program in\nresponse to the legislative mandate of the FISMA, formerly the Government\nInformation Security Reform Act (GISRA). They are: \xe2\x80\x9cDOT Information\nSecurity Program,\xe2\x80\x9d Report Number FI-2005-001, October 1, 2004; \xe2\x80\x9cDOT\nInformation Security Program,\xe2\x80\x9d Report Number FI-2003-086, September 25,\n2003; \xe2\x80\x9cDOT Information Security Program,\xe2\x80\x9d Report Number FI-2002-115,\nSeptember 27, 2002; and \xe2\x80\x9cDOT Information Security Program,\xe2\x80\x9d Report Number\nFI-2001-090, September 7, 2001.\n\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                                           30\n\n\n\n\nEXHIBIT C. DOT OPERATING ADMINISTRATIONS AND SYSTEM\nINVENTORY COUNTS\n\n\nOperating Administration                      Acronym   FY 2004   FY 2005\n\nFederal Aviation Administration               FAA          285       271\n\nFederal Highway Administration                FHWA          24        24\n\nFederal Motor Carrier Safety Administration   FMCSA         19        19\n\nFederal Railroad Administration               FRA           22        21\n\nFederal Transit Administration                FTA            9         9\n\nMaritime Administration                       MARAD         12        13\n\nNational Highway Traffic Safety               NHTSA         38        18\nAdministration\n\nOffice of the Secretary                       OST           54        52\n\nPipeline and Hazardous Materials Safety       PHMSA          3         4\nAdministration\n\nResearch and Innovative Technology            RITA          16        17\nAdministration\n\nSaint Lawrence Seaway Development             SLSDC          1         1\nCorporation\n\nSurface Transportation Board                  STB            2         2\n\n Total Systems                                             485       451\n\n\n\n\nExhibit C. DOT Operating Administrations and System Inventory\nCounts\n\x0c                                                                         31\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                   Title\n\nRebecca C. Leng                        Assistant Inspector General for\n                                        Information Technology and\n                                        Computer Security\nEd Densmore                            Program Director\nPhil DeGonzague                        Project Manager\nNathan Custer                          Project Manager\nDr. Ping Z. Sun                        Project Manager\nLynn Dowds                             Senior Auditor\nTim Roberts                            Senior Auditor\nJohn Johnson                           Senior Information Technology\n                                       Specialist\nMitchell Balakit                       Information Technology\n                                       Specialist\nChristopher Cullerot                   Information Technology\n                                       Specialist\nAtul Darooka                           Information Technology\n                                       Specialist\nNarja Hylton                           Auditor\nMichael P. Fruitman                    Communications Adviser\n\n\n\n\nExhibit D. Major Contributions to This Report\n\x0c'